WordPress Security: The Problem, The Solution, and The Immediate Action You Should Take

Imagine that you are in the market for a new home security system. Something more than just a buzzer on a 90-second delay.

You do your research and you find two general options:

The first option, offered by the majority of the home security providers you look into, pledges to send specialized teams to your house every time you’re gone, to attempt to break in.

When you return home, they provide you with a detailed report of the vulnerabilities they found – a loose window here, an unlocked back door there – and they leave without fixing them. You have no real way of knowing if any unwanted guests came in after they left.

The second option, offered by far fewer providers, actually has a database of all known thieves that includes their signature modes of entry and what they’re likely to take.

In addition using this database to check your house for vulnerabilities and breaches, this provider also checks each room of the house one by one to let you know if it’s safe to re-enter the house when you arrive home.

Which one would you choose?

Assuming the cost of the second provider is not exorbitant – which it’s not – of course you’d choose the second option. If it’s your family’s safety at stake, a few extra bucks is well worth it, in exchange for peace of mind.

The same is true for your website.

And that’s why we’ve partnered with Sucuri to provide the web equivalent to Option #2 above: server-side scanning.

In an industry that usually doesn’t go beyond Option #1 to protect you, we want you to have the peace of mind of knowing that your home on the web is safe.

The Problem: Malware

Did you know that Google blacklists over 6,000 malware-infected websites a day?

Consider the ramifications of your website being blacklisted tomorrow. Might hinder your traffic a bit, no?

So here’s an understatement for you: malware is a big problem on the web.

It’s a big problem for you, the website owner, because every second your site is online is another a second it’s at risk for being hacked.

And it’s a particularly huge, keep-you-up-at-night problem for us because it is our job to protect your site from these threats.

We want all of our servers and all of our customers’ WordPress sites to be safe and protected, but the threat is not a static one nor does it ever go away. This is why security on the web requires constant vigilance, the ability to be nimble, and a humble commitment to perpetual improvement.

Sites end up on our doorstep every day that have been severely hacked. It could be risky business for us to invite problems like these into our house here at Synthesis.

But it’s not, because we’re confident in our approach and in the solutions we have in place to not only de-hack a WordPress website, but also to keep it clean in the future.

We rely on a multifaceted approach to security that includes:

  • Minimalistic, locked-down server configurations
  • In-house injection blocking software
  • Strong relationships with security specialists like Sucuri

The importance of this last bullet cannot be understated.

Another problem is that there are a plethora of companies who say they provide external security scanning services. But in reality, few do it well … if they really do anything at all.

Many simply just do the equivalent of Option #1 in our example above: throw a bunch of injection strings at your site and provide you with a report about what they feel is a vulnerability.

You can understand why your back door being unlocked is a problem when it comes to home security. And you can easily fix it. But you have to be a computer scientist to really make sense of whatever vulnerability report gets spat out to you.

Furthermore, those who actually scan for malware are limited by their malware database. This criteria alone led us to Sucuri over a year ago. We were impressed not by the sophistication of their signature database but also by their efforts to keep it up date.

Still, hackers are not idiots. Quite the contrary. Some of the brightest and most capable minds using the web right now are, unfortunately, doing so for selfish and nefarious purposes. So there are limitations to external scanners.

For example, if you are an HVAC company and your site gets hacked, you will likely find out from a local customer who gets a browser warning of malware. Conditional malware can even be as sophisticated as to only rear its ugly head in certain geographies based on IP addresses.

Yeah. Serious stuff.

Even worse, hackers know how to avoid external scanners and even Googlebot to avoid detection.

But we don’t dwell on problems here at Synthesis. We seek solutions. And in Sucuri, we’ve found a partner that provides exactly the kind of solution that can help combat even the most advanced attacks.

The Solution: Server-Side Scanning

Server-side scanning like Sucuri’s involves a small file that allows communication with their scanners and signature base from the server side as opposed to over HTTP.

An added bonus: Sucuri does the lifting, and it is not resource intensive on the server.

At Synthesis, we actually use two of these services, one being Sucuri’s. We run it every 4-6 hours and then take action based on the results.

Here is the description of the service from Sucuri’s website:

Web-malware continues to evolve making it challenging to detect using only HTTP fingerprinting techniques, such as the ones SiteCheck is restricted to. As such we have been working to develop a new method of scanning that allows us to better detect infections on the server and site directories, specifically backdoors that are causing and acting as entry points to the infections.

The feature was designed to compliment existing scanning capabilities improving the rate of detection such that we can more quickly detect issues before the blacklisting authorities, (i.e., Google, Bing, Norton, AVG, etc..), get the chance to impact your online reputation.

Sounds pretty great, right?

And it is. But it’s not a solution in and of itself.

Even with server-side scanners, someone has to check the results and then get rid of malware if your site is infected.

Dre Armeda, one of the co-founder’s of Sucuri, explained that they do not believe in 100% automation for clean ups. They have great tools and processes, but they also assign a security engineer to every remediation case.

“It’s important to have that oversight when dealing with folks that are in a vulnerable position,” Armeda explained.

We agree.

And this issue of clean ups is also where we come in, because we take care of it for you. It’s the “premium managed” part of Premium Managed WordPress Hosting.

Some sites come to us so infected that it takes a couple rounds of scanning and acting on the results of those scans to get the malware out. This stuff can be tricky.

Fortunately for you – just through migrations alone – we’ve gotten very efficient in our processes with Sucuri. We remove malware on discovery and are checking our reports multiple times per day.

The Action: Protect Your WordPress Website

We are about improving performance and locking down security. Everything we do at Synthesis is aimed at one of those two objectives.

If you are a current customer, you know this. And now you can feel even safer than you did before knowing that we have added server-side scanning to our arsenal.

It’s part of our unyielding commitment to constantly deliver additional value.

But we aren’t for everyone.

If you run a non-WordPress website, or if you have a WordPress site but choose to host elsewhere, you can go direct with Sucuri. We highly recommend it.

And if you are not a current customer, but performance and security are important to you, I’d suggest you decide which of our hosting plans is right for you. Sign up. We’ll help you get your site cleaned up during your migration so you get a fresh start when it comes to security.

Then you’ll have peace of mind knowing someone is going through your website every day either providing the “All clear!” or fixing it until we can.

Comments

  1. As someone who has used Sucuri for my startup I can vouch this is an amazing service and add on for your business!

  2. I recently had some security problems with my WordPress sites, and ended up doing a lot of research into securing WordPress sites…

    I have written up my experiences in a WordPress Security Checklist which can be downloaded for free on http://www.wpsecuritychecklist.com.

    My checklist has a few more items on it and includes step by step instructions on how to get the job done…

    Hopefully the checklist can help other people securing their WordPress sites…

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>